Biometric Hacking

Biometrics can be fooled just like any other access management system: by being spoofed. A fingerprint can be duplicated using gelatin molds and then pressed against the scanner of a fingerprint reader, granting entry to a malicious user. Voice recognition systems have been defeated with voice recordings and face recognition systems bypassed with photographs of the legitimate user.

A particularly nasty way of getting past a fingerprint scanner would be to chop off the finger of somebody whose fingerprint is registered with the system. Gruesome, yes, but it has happened. Less brutal, but equally effective, would be to force the legitimate user at gunpoint to put their finger on the reader and then just pass them when the door opens, or the system activates. Either way, like stealing a good key, the intruder is taking advantage of the legitimate user's "credential," in this case their fingerprint, to gain access.

These sound like far-fetched scenarios and may seem harder crimes to commit than the standard hacker trick of dropping a Trojan on the desktop and stealing a user ID and password, but they can and do happen.

The other way to fool biometrics is by replaying their digital data. All biometric data -- whether photos of faces from face recognition systems, fingerprints from scanners or voice recordings -- is converted, at some point, into a digital format that can be stored on a computer system, a database or a portable storage device. When the user needs to log in again by showing their face, rubbing their fingerprint or speaking into a microphone, this information is converted into a digital format that can be compared with their digitized biometric data already stored in the system.

These scenarios are definitely more far-fetched than the borrowed fingerprint, gelatin or otherwise, but are things to consider when deploying biometric systems. Just as the system itself needs safeguarding, the data stores or databases holding digitized biometric information also need protection from malicious intruders.

Other technologies used with biometrics, such as smart cards, have other vulnerabilities that need to be considered. Smart cards look like, and are the size of, a credit card, but, unlike credit cards, carry an embedded microchip holding any number of pieces of data: customer information, medical records or financial information, and even sums of money. The card is either swiped through a device that reads it or is inserted into a reader. The user may then be required to enter a PIN number to get access to the system. However, these tiny microchips can only receive so much protection in something as small as a credit card. They are also sensitive to light and can be easily scraped or damaged. Researchers have found ways to steal the data on the microchip by tampering with the cards using light from camera flashbulbs and signals from radio devices.

In short, despite the vulnerabilities, combining these systems -- biometrics and smart cards -- protects systems through a multi-layered approach.